Linux tips and tricks for faster and easier administration Linux servers and applications! Troubleshooting and solutions!

Friday, 31 October 2014

sftp user action logs - EXPLAINED and SOLVED

I already wrote how to setup and why to use SFTP.Time has passed and someone ask you to see did someone using sftp add/rename/download/upload/delete some file or folder. You go to /var/log and search for logs about sftp actions. And all that you can find is ...

So as you can see there is no log about what user connected by using sftp is doing. At some point in time someone will tell you that this is a security/where are these files/who delete files issue. So how to do this? It is quite simple if you understand how logs are created, chroot and off course if you are reading this!

Few thing to know about logs and chroot

As you know sftp users(in my case user boris) are all chrooted to directory configured in /etc/ssh/sshd_config with ChrootDirectory directive. In case that you do not know what this means, it means that once user is connected he cannot live this location. This user can't do anything outside this this folder. Read/write operations are only limited to his sftp folder. If you are wondering why I wrote 3 sentences about that use cannot leave chroot dir folder, wait just a bit more. Rsyslog or syslog capture events things by using socket /dev/log. This is important because sftp of features of ssh and ssh use rsyslog for logs storing then in /var/log. Permissions on /dev/log is

# ls -la /dev/logsrw-rw-rw- 1 root root 0 Oct 31 12:54 /dev/log
So anybody that can approach to /dev/log can make logs by using rsyslog. But can sftp user approach to /dev/log? NO! Why? Because he is captured inside of his chrooted directory!!! So, idea is to still have chrooted user but that he can write in /dev/log.

Configuration in sshd_config

To enable logs for sftp-server we must fist enable it in sshd_config. Change line

Option -l(small letter L) is for log level and option -f is for location of log. Do not for -f add location of file, this is done in rsyslog.conf.
After you make neccesery changes, restart ssh service.

#/etc/init.d/sshd restart

Accessing /dev/log from chrooted folder

How to do this? My sftp folder is defined in sshd_config in ChrootDirectory /opt/sftp_test/%u directive and my sftp user is boris. Follow these steps!